WIndows 2003 - Winlogbeat x32 alpha4

BongoEADGC6 · August 5, 2016, 9:34pm

I'm having an issue where all the fields under event_data are named param1, param2, param3, param4, etc.

This does not happen when using the x64 version of the software however. Is there a compatibility issue with Windows Server 2003?

I haven't found this discussed before here yet, but excuse me if it already has.

Here is a received message from winlogbeat.

{ "_index": "logstash-2016.08.05", "_type": "eventlogging", "_id": "AVZcm4hTjIf2D8UOn-sV", "_score": null, "_source": { "message": "User Logoff:\n\n\tUser Name:\t$USERNAME$\n\n\tDomain:\t\t$DOMAINNAME$\n\n\tLogon ID:\t\t(0x1,0x5C8F21ED)\n\n\tLogon Type:\t3", "@version": "1", "@timestamp": "2016-08-05T21:28:31.000Z", "log_name": "Security", "record_number": "1701366851", "type": "eventlogging", "source_name": "Security", "user": { "identifier": "S-1-5-21-2084847649-383155021-666385194-89160", "name": "$USERNAME$", "domain": "$DOMAINNAME$", "type": "User" }, "level": "Audit Success", "tags": [ "domain-controller", "Windows", "winlogbeat", "beats_input_codec_plain_applied" ], "computer_name": "$COMPUTERHOSTNAME$", "event_id": 538, "event_data": { "param1": "$USERNAME$", "param2": "$DOMAINNAME$", "param3": "(0x1,0x5C8F21ED)", "param4": "3" }, "beat": { "name": "$COMPUTERHOSTNAME$", "hostname": "$COMPUTERHOSTNAME$" }, "host": "$COMPUTERHOSTNAME$" }, "fields": { "@timestamp": [ 1470432511000 ] }, "highlight": { "host": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "computer_name": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "beat.name": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "beat.hostname.raw": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "host.raw": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "beat.hostname": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ], "beat.name.raw": [ "@kibana-highlighted-field@$COMPUTERHOSTNAME$@/kibana-highlighted-field@" ] }, "sort": [ 1470432511000 ] }

andrewkroh · August 7, 2016, 2:42pm

This is not a limitation of Winlogbeat. Prior to Windows Vista, the parameters in event log messages were unnamed. The messages contain numbered place holders and the applications that log messages simply pass an array of parameters. Here's an example showing how applications log messages using the Event Logging API (used in pre Windows Vista OSes).

If you want to assign names to the parameters, you could use Logstash to rename the fields based on Event ID.

BongoEADGC6 · August 8, 2016, 6:50pm

So it is safe to assume based on your response that this will not be something that will be done in coming versions of Winlogbeat but must be a manual process by the users?

andrewkroh · August 8, 2016, 6:56pm

Yeah, that is a safe assumption. In order for Winlogbeat to be able to rename these parameters it would have to include a database of applications, the event ID's those apps use, and a mapping of parameter numbers to names for every event ID.

system · August 26, 2016, 9:34pm

This topic was automatically closed after 21 days. New replies are no longer allowed.